[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: EAP requestor for Initiator



Yoav,

I totally agree and understand your description in the last mail from
ikev2. My question is:
Can I have either the initiator or responder as Authenticator since my
case is peer to peer (not client-server)? Or the Authenticator has to be
Responder?

I want Initiator as Authenticator and let initiator start the EAP
request, can it be? If yes, then how the ikev2 exchange looks like? 

Yoav Nir wrote:
> 
> It is true that EAP was added to IKEv2 with the roaming user in mind.
> However, I think your case is very similar:
> - The initiator (or "peer") wants to join the cloud, so it begins the
> responder (or "authenticator" or "proxy server")
> - The proxy server wants to verify the initiator's identity.  For
> verifying identities, it relies on the services of an external server,
> called the "authentication server".  This could be LDAP, or RADIUS or
> SecurID of whatever.
> - The authentication server starts an EAP conversation with the "peer",
> tunneled through the authenticator (the responder)
> - When it is satisfied, it sends a notification to the responder, which
> sends the client an EAP success.
> 
> This is how EAP works.  It always looks like the authenticator
> (responder) is starting the conversation.  See section 2 of RFC 2284.
> 
> On Wednesday, October 22, 2003, at 08:06 PM, Tom Hu wrote:
> 
> > Yoav,
> >
> > Thank your reply.
> >
> > I do not think my case is not client-server model.
> > It rather peer-to-peer model.
> >
> > The application is, for example, the initiator (untrusted peer) want to
> > join the secured cloud, it has to pass the authZ first.
> >
> > To pass the authz, the initiator has to talk to the Authorization
> > server
> > thru the proxy (responder is a proxy server).
> >
> > In this case, we want the initiator to start EAP negotiation, not
> > responder.
> >
> > It looks like EAP in ikev2 draft is only applicant to the client-server
> > model.
> >
> > Tom Hu
> > Yoav Nir wrote:
> >>
> >> In the remote-access scenario, the client is always the initiator.  In
> >> EAP, the gateway (or "authenticator") is always the initiator.  How
> >> can
> >> it be that the IKE initiator will also initiate the EAP?  Which is the
> >> client, and which is the gateway?
> >>
> >> On Wednesday, October 22, 2003, at 03:14 AM, Tom Hu wrote:
> >>
> >>> Hi all,
> >>>
> >>> In the ikev2 draft, explicitely describes EAP request initiated from
> >>> Responder. Is it legit to have EAP request initiated from Initiator?
> >>> Please see the below exchange. Is this against IKEv2 protocol?
> >>>
> >>> Note: when I said EAP requestor, it means that the node sends the
> >>> first
> >>> EAP packet.
> >>>
> >>>
> >>>   Initiator                          Responder
> >>>  -----------                        -----------
> >>>   HDR, SAi1, KEi, Ni         -->
> >>>                               <--    HDR, SAr1, KEr, Nr, [CERTREQ]
> >>>
> >>>   HDR, SK {IDi, [CERTREQ,] [IDr,]
> >>>            SAi2, TSi, TSr}   -->
> >>>                               <--    HDR, SK {IDr, [CERT,] AUTH}
> >>>   HDR, SK {EAP, [AUTH]}      -->
> >>>                               <--    HDR, SK {EAP, [AUTH]}
> >>>
> >>>   HDR, SK {EAP, [AUTH] }     -->
> >>>                               <--    HDR, SK {[AUTH], SAr2, TSi, TSr
> >>> }
> >>>
> >>> Thanks,
> >>>
> >>> Tom Hu
> >>>
> >